Skip to main content
Workforce

Microsoft Entra ID Configuration

Use this guide to configure Microsoft Entra ID in the Azure portal to allow read and optional write access for SecureAuth IAM integration.

After you complete this configuration, it is ready for integration with SecureAuth IAM.

Prerequisites

Before you begin, ensure you have:

  • Application Administrator account in Microsoft Entra ID
  • Administrative access to the Azure portal
Set up admin privileges in Microsoft Entra ID

To grant access to users in Microsoft Entra ID, you assign Microsoft Entra roles. A role is a collection of permissions.

You will need a Microsoft Entra ID user account with an assigned role of Application administrator on the Directory scope.

To assign this role to a user:

  1. Log in to the Microsoft Azure portal as at least a Privileged Role Administrator or Global Administrator.

  2. Go to the Microsoft Entra ID directory and from the left navigation, click Roles and administrators.

    Microsoft Entra ID Roles and administrators navigation

  3. Search for and select the Application Administrator role.

  4. Click Add assignments.

    Add assignments button for Application Administrator role

  5. In the left navigation, set the Scope type to Directory. Then, select a user as a member and click Next.

    Set scope type to Directory and select user

  6. Set the Assignment type to Active, enter the justification, and click Assign.

    Set assignment type to Active and provide justification

Process

View a simple outline of the steps to configure Microsoft Entra ID for SecureAuth IAM in the Azure portal:

Task A: Register an application for SecureAuth IAM

To integrate Microsoft Entra ID with SecureAuth IAM, you need to register an application in the Azure portal.

  1. Log in to your Azure Account through the Azure portal.

  2. Select Microsoft Entra ID.

  3. Select App registrations and click New registration.

    App registrations page with New registration button

  4. Set a Name and keep the default Supported account types selection option to a single tenant.

    Register an application form with name and account type settings

  5. Click Register.

Task B: Add API permissions for SecureAuth IAM

You will need to grant read and write permissions for the SecureAuth IAM API calls to Microsoft Entra ID.

  1. From the App registrations list, click name of the registered app that you just created.

  2. In the left pane, click API Permissions. Then, click Add a permission.

    API Permissions page with Add a permission button

  3. Select Microsoft Graph.

    Request API permissions page showing Microsoft Graph option

  4. Click Delegated permissions. Scroll down to find and select the following check boxes:

    • Directory.AccessAsUser.All
    • Directory.Read.All
    • Group.Read.All
    • User.Read
    • User.Read.All

    Delegated permissions selection showing required permissions

  5. When you are done making your selections for delegated permissions, go to the bottom of the page and click Add permissions.

  6. Click Add a permission again and select Microsoft Graph.

  7. Click Application permissions. Scroll down to find and select the following check boxes:

    • Directory.Read.All
    • Group.Read.All
    • User.Read.All

    Application permissions selection showing required permissions

  8. When you are done making your selections for application permissions, go to the bottom of the page and click Add permissions.

  9. View and verify the list of configured permissions and click Grant admin consent.

    Configured API permissions with Grant admin consent button

Task C: Create the client secret

Create an application secret key for the SecureAuth IAM connection to Microsoft Entra ID. You will need to provide this client secret when configuring the connection in SecureAuth IAM.

  1. From the left pane, click Certificates & secrets. Then, click New client secret.

    Certificates & secrets page with New client secret button

  2. Add a description for the client secret and choose 24 months for the expiration. Then, click Add.

    Add a client secret form with description and expiration settings

  3. Copy the client secret Value, before it gets masked when you leave the page.

    Note: You will need this client secret value when configuring the connection in SecureAuth IAM.

    Client secret created with value to copy

  4. From the left pane for this app registration, click Authentication.

  5. In the Advanced settings section, select Yes.

    Authentication page Advanced settings with Yes selected

  6. Save your changes.

Task D: Get registered application information

For the SecureAuth IAM side of the configuration, you will need to copy and provide these two values: Application (client) ID and Directory (tenant) ID.

  1. Select Microsoft Entra ID.

  2. Select App registrations.

  3. From the list, click the application name link.

  4. In the Overview section, copy these values:

    Note: You will need these values for the SecureAuth IAM configuration.

    • Application (client) ID
    • Directory (tenant) ID

    App registration Overview page showing Application ID and Directory ID

Next steps

After completing the configuration steps in your Microsoft Entra ID (Azure AD) portal, proceed to Connect Microsoft Entra ID in SecureAuth IAM.

To complete this step in the SecureAuth IAM admin console, you'll need the following values:

  • Directory Tenant ID - Your Microsoft Entra (Azure AD) tenant ID
  • Client ID - The application (client) ID from your Microsoft Entra ID app registration
  • Client Secret - The client secret associated with your Microsoft Entra ID application
  • Azure Tenant Domain - Your verified domain, such as company.onmicrosoft.com